Privacy Policy

This Privacy Policy (“Policy”) describes how Ashva Experts, having its registered address at 220, 6TH CROSS, GANAKALLU, SRINIVASAPURA COLONY, KENGERI HOBLI, BANGALORE, KARNATAKA, INDIA - 560060 (“Ashva Pure”, “we”, “us”, or “our”), collects, uses, stores, shares, and protects your personal data when you access or use our websites (including ashva.aumlayer.com and ashvaexperts.com), mobile applications, customer portal, and related services (collectively, the “Platform”).

This Policy is drafted in accordance with the Digital Personal Data Protection Act, 2023 (“DPDP Act”), the Information Technology Act, 2000 (“IT Act”), the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“IT Rules”), and other applicable data protection and consumer protection laws in India.

This Policy applies to all individuals who access or use the Platform, including customers, visitors, and service beneficiaries. By accessing or using the Platform, you acknowledge that you have read and understood this Policy. If you do not agree with our data practices, please refrain from using the Platform.

For the purposes of this Policy, the following terms shall have the meanings assigned below, consistent with the DPDP Act, 2023:

• “Personal Data” means any data about an individual who is identifiable by or in relation to such data, as defined under the DPDP Act.
• “Processing” means any operation or set of operations performed on personal data, including collection, storage, use, sharing, disclosure, and erasure.
• “Data Principal” means the individual to whom the personal data relates — in this context, you, the customer or user.
• “Data Fiduciary” means the entity that determines the purpose and means of processing personal data — in this context, Ashva Pure.
• “Data Processor” means any entity that processes personal data on behalf of the Data Fiduciary.
• “Consent” means a free, specific, informed, unconditional, and unambiguous indication of the Data Principal's wishes, by a clear affirmative action, signifying agreement to the processing of personal data.

We collect and process the following categories of personal data depending on how you interact with our Platform and services:

3.1 Identity and Contact Information

Name, mobile phone number, email address (optional), residential or commercial address (including house/flat number, street, locality, city, state, and pincode), and location details necessary to determine serviceability within our Service Area (Bengaluru, Karnataka (with planned expansion across Karnataka)).

3.2 Account and Authentication Data

OTP verification logs (WhatsApp OTP and SMS OTP are used for authentication; WhatsApp OTP is mandatory where enabled), session tokens, login timestamps, and device identifiers used during authentication.

3.3 Communications Logs

We may retain logs of transactional and support-related communications (e.g. WhatsApp, SMS, email, push). Where call recording is enabled for quality or support purposes, you will be informed at the start of the call or through our Policy; such recordings are processed only as disclosed and in accordance with applicable law.

3.4 Service History and Operational Data

Service and support ticket records, technician visit notes, device details (brand, model, serial number, installation type), photos and videos uploaded by you or our technicians during service visits, subscription and plan details, and service feedback or ratings.

3.5 Payment References

We store payment references, transaction IDs, and payment status for reconciliation, invoicing, and refund processing. We do not store payment card details (card numbers, CVV, or full bank account details). Payment processing is handled by our payment gateway partners (Razorpay and Cashfree Payments); sensitive payment data is processed exclusively by them.

3.6 Technical and Usage Data

IP address, browser type and version, operating system, device type, screen resolution, pages visited, time spent on pages, referring URLs, and basic cookie data. This information is collected automatically when you access the Platform.

We process your personal data for the following purposes:

• Service delivery: To fulfil your rental subscription or one-time service request, schedule installations and maintenance visits, dispatch technicians, and deliver the services you have requested.
• Account management: To create and manage your account, authenticate your identity, and provide access to the Platform's features.
• Scheduling and logistics: To determine serviceability, plan technician routes, and coordinate service timing.
• Invoicing and payments: To generate invoices, process payments, manage refunds, and maintain financial records as required by law.
• Customer support: To address your queries, complaints, and service requests efficiently.
• Fraud prevention: To detect, investigate, and prevent fraudulent transactions, misuse, and other harmful activities.
• Service improvement: To analyse usage patterns, measure service quality, and improve our Platform, products, and customer experience.
• Communications: To send transactional messages (booking confirmations, service reminders, payment receipts) and, with your consent, promotional and marketing communications.
• Legal and regulatory compliance: To comply with applicable laws, regulations, court orders, and governmental requests, including tax and accounting obligations.

Under the DPDP Act, 2023, we process your personal data based on one or more of the following lawful bases:

• Consent: You provide explicit consent at the time of account registration, booking, or when enabling specific features (e.g., marketing notifications). Consent is obtained through a clear affirmative action such as ticking a checkbox or clicking “I Agree”.
• Legitimate uses: Processing necessary for the performance of a service you have requested, compliance with applicable laws, responding to a medical emergency, ensuring safety, or for employment-related purposes, as permitted under the DPDP Act.

Withdrawal of Consent

You have the right to withdraw your consent at any time by contacting us at [email protected]. Please note that withdrawal of consent will not affect the lawfulness of processing carried out before such withdrawal. Additionally, withdrawing consent may impact our ability to provide certain services to you. For example:

• Withdrawing consent for communication may prevent us from sending you important service reminders and OTPs required for authentication.
• Withdrawing consent for data processing essential to service delivery may require us to terminate your subscription and arrange for Equipment return.

We will inform you of the specific consequences of consent withdrawal before processing your request.

To opt out of marketing communications, use the in-app notification or preference settings where available, or contact us at [email protected]. If an in-app opt-out option is not available, please contact support to opt out of marketing. Transactional messages (e.g. OTP, invoices, service updates) will continue to be sent even if you opt out of marketing.

We do not sell or rent your personal data to third parties. We may share your personal data with the following categories of recipients, solely for the purposes described in this Policy:

• Payment gateways: Razorpay and Cashfree Payments, for processing payments, refunds, and related financial transactions.
• Messaging and notification providers: WhatsApp Business API providers, SMS gateways, email delivery services, and push notification services, for sending transactional and (where consented) marketing communications.
• Hosting and infrastructure vendors: Cloud service providers and content delivery networks that host the Platform and store data on our behalf, under appropriate contractual and security safeguards.
• Service partners: Authorised technicians and service personnel who require access to your address and service details to perform installations, maintenance, and repairs.
• Legal and regulatory disclosures: Government authorities, law enforcement agencies, courts, or regulators, where required by applicable law, legal process, or government request, or where necessary to protect the rights, property, or safety of Ashva Pure, our customers, or the public.

All third parties with whom we share data are required to maintain appropriate confidentiality and security safeguards and to process data only for the purposes specified by Ashva Pure.

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by applicable law. The general retention periods are as follows:

Upon expiry of the applicable retention period, personal data will be securely deleted or anonymised. If deletion is not immediately feasible (e.g., data in backups), we will isolate the data and refrain from further processing until deletion is completed.

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These measures include, but are not limited to:

• Encryption in transit: All data transmitted between your device and our servers is encrypted using TLS (Transport Layer Security).
• Access control: Role-based access controls ensuring that only authorised personnel can access personal data, on a need-to-know basis.
• Least privilege: System accounts and API credentials are configured with the minimum permissions necessary for their function.
• Audit logging: Access to sensitive data and administrative actions are logged for monitoring and audit purposes.
• Vendor controls: Third-party service providers are evaluated for their security posture and required to maintain reasonable security standards.

While we strive to protect your personal data, no method of transmission over the internet or electronic storage is completely secure. We cannot guarantee absolute security but are committed to implementing commercially reasonable safeguards and promptly addressing any identified vulnerabilities.

As a Data Principal, you have the following rights under the DPDP Act, 2023, subject to applicable conditions and exceptions:

• Right to access: You have the right to obtain a summary of your personal data being processed by us and the processing activities undertaken.
• Right to correction: You have the right to request correction of inaccurate or incomplete personal data, and to have such corrections communicated to entities with whom the data has been shared.
• Right to erasure: You have the right to request erasure of your personal data where it is no longer necessary for the purpose for which it was collected, subject to legal retention requirements.
• Right to withdraw consent: Where processing is based on consent, you may withdraw such consent at any time (see Section 5).
• Right to grievance redressal: You have the right to raise a grievance regarding the processing of your personal data (see Section 10).
• Right of nomination: You have the right to nominate another individual to exercise your rights in the event of your death or incapacity, as provided under the DPDP Act.

How to exercise your rights: You may submit a request (i) through the customer portal or app where available (e.g. privacy or account settings, DSAR request flow), or (ii) by email to [email protected], including your registered mobile number and any relevant reference IDs (e.g. subscription ID, ticket number) so we can verify your identity and locate your data. We will verify your identity before processing your request and respond within the timelines prescribed by applicable law.

If you have any concerns or grievances regarding the processing of your personal data, you may contact our Grievance Officer:

Name: Grievance Officer
Email: [email protected]
Phone: +91 84959 98156
Address: 220, 6TH CROSS, GANAKALLU, SRINIVASAPURA COLONY, KENGERI HOBLI, BANGALORE, KARNATAKA, INDIA - 560060

The Grievance Officer will acknowledge your grievance within forty-eight (48) hours and endeavour to resolve it within seven (7) business days from the date of receipt. If you are not satisfied with the resolution provided, you may escalate your complaint to the Data Protection Board of India established under the DPDP Act, 2023.

Your personal data may be processed or stored on cloud infrastructure in India and/or other jurisdictions, as permitted by applicable law, depending on the infrastructure of our hosting and service providers. Where personal data is transferred outside India, we take appropriate contractual and organisational safeguards to ensure that the data receives a level of protection consistent with Indian data protection laws and the requirements of the DPDP Act.

We will not transfer your personal data to any country or territory that has been restricted by the Central Government under Section 16(1) of the DPDP Act, 2023, unless otherwise permitted by law.

Our services are intended for adults. We do not knowingly collect personal data from individuals below the age of eighteen (18). If we become aware that we have inadvertently collected personal data relating to a minor, we will delete such data upon notice. If you believe we hold data pertaining to a minor, please contact us at [email protected].

The Platform uses cookies and similar technologies to enhance your browsing experience and collect usage data. Our cookie usage is minimal and includes:

• Essential cookies: Required for the Platform to function correctly (e.g., session management, authentication state). These cannot be disabled without affecting functionality.
• Analytics cookies: Used to understand how visitors interact with the Platform, measure page performance, and identify areas for improvement. These may include third-party analytics services.

We do not currently use advertising or cross-site tracking cookies. You can manage cookie preferences through your browser settings. Disabling essential cookies may impair your ability to use the Platform.

We may update this Privacy Policy from time to time to reflect changes in our data practices, legal requirements, or business operations. When we make material changes, we will notify you by posting the updated Policy on the Platform with a revised “Last Updated” date, and where practicable, by sending a notification via email or an in-app notice.

We encourage you to review this Policy periodically. Your continued use of the Platform after the effective date of any updated Policy constitutes your acceptance of the changes. If you do not agree with the updated Policy, you should discontinue use of the Platform and contact us to exercise your data rights.